EVENTS

The fourth branch of government

President Obama’s claim that he welcomes the debate over the NSA’s activities and planned to have one but that he objects to the fact that Edward Snowden revealed the things that he supposedly wants to discuss was obviously a lie. Does anyone seriously think that in the absence of Snowden, Obama would have one day voluntarily told the public what has been going on?

Max Ehrenfreund adds an interesting insight. He points out that much of this debate that Obama supposedly desires has already occurred and some of the measures had already been formally discussed and rejected by Congress.

The government’s surveillance policies are nonetheless indefensible because collectively, we have already decided, twice, that we oppose them. In a democracy, the government does not have the authority make decisions about the shape of a society independently of public opinion, even if those decisions are justified. The New York Times reports that the NSA has ignored this fundamental principle:

Paul Kocher, a leading cryptographer who helped design the SSL protocol, recalled how the N.S.A. lost the heated national debate in the 1990s about inserting into all encryption a government back door called the Clipper Chip.

“And they went and did it anyway, without telling anyone,” Mr. Kocher said.

Likewise, Congress rejected a Bush administration proposal for a program called “Total Information Awareness,” which the surveillance apparatus then established anyway in secret. That was the program that became PRISM.

So it looks like the secret government that we have does what it damn well pleases irrespective of what the public government says it can or cannot do. It looks like in addition to the three branches of the government enumerated in the US constitution, we also have a fourth branch, the secret government. But whereas the other three are supposedly co-equal, it is clear that this one is supreme.

This has been another episode on my multi-part series, called “That’s democracy, baby!”

Yes and no. I think there is a big difference between the “clipper chip” and related “key escrow” proposals and the sort of soft-power influence the NSA has used to promote adoption of cryptographic standards with known-to-the-NSA weaknesses.

Kocher is exaggerating, they did not and have not “insert[ed] into all encryption a government back door.”

Snowden agrees, he told the Guardian that “properly implemented strong crypto systems are one of the few things that you can rely on.”

We need a law making it a crime to mess exert this kind of intentionally-destructive influence, but we don’t have one, and the non-adoption of another tenuously-related proposal in the 90’s doesn’t count. We also need to enforce laws on the books that ban hacking into corporate systems as the NSA is alleged to have done for the purpose of stealing encryption keys.

More generally, non-adoption of a proposal to do X is not equivalent to adoption of a proposal to ban X.

Yet more generally, we are not a democracy, and our government does in fact “have the authority make decisions about the shape of a society independently of public opinion” regardless of “if those decisions are justified.” The authority our government has is the authority we delegated to it through the Constitution, nothing more and nothing less. For example, when the government decided to “make a decision about the shape of a society” and integrate public education, it had the authority to do so “independently of public opinion.”

Sloppy, sloppy thinking and writing by Ehrenfreund. He even realized it himself near the end and retracted pretty much the entire column by writing “I don’t meant to argue that the National Security Agency lacks the legal or constitutional authority to pursue these policies (although that’s also an unresolved question) or that every policy should be decided by plebiscite.” Say what? If you don’t mean to argue that, why did you just spend a column arguing it?

Even more weirdly, the examples he picks of times when we have allegedly had this debate aren’t the best examples to prove the case. I would argue that the best example is the adoption of FISA in 1978 and it’s affirmative limits on when and under what circumstances electronic surveillance may be used. Those rules have since been subverted a hundred times and changed another hundred times, but at it’s core it is a stronger argument. Similarly, pointing to the Posse Comitatus Act would be a better argument than pointing to the non-adoption of other policy proposals.

In an environment where everything that is not explicitly illegal is done sooner or later, it is equivalent.

Say what? That’s precisely the environment in which it is not equivalent. That’s the environment in which you need to make something “explicitly illegal” in order for it not to be “done”, not the environment in which things become implicitly illegal because you once decided not to do something similar.

What difference does it make to have a clipper chip or intentionally weak encryption. The net result is the same.

One would have been mandatory and applied to all new telephone hardware, and would have carried penalties for non-compliance. The other is optional in that it applies only to the affected cryptography algorithms which are a few among a great many, as Snowden said using crypto that works is still possible and legal.

On the other hand, the intentionally weak encryption is in some respects worse, because it affects things other than telephone traffic and because it could be exploited by other adversaries more easily.

Say what? That’s precisely the environment in which it is not equivalent.

Sorry, I misunderstood what you were trying to say. Looks like we are in agreement then.

One would have been mandatory and applied to all new telephone hardware, and would have carried penalties for non-compliance. The other is optional in that it applies only to the affected cryptography algorithms which are a few among a great many […]

Not necessarily. Promotion of weak encryption can and probably also is being enforced. There was a time when software companies had to limit their key strength. There were also rumors that Microsoft added a backdoor in their encryption module so that when you know where to look the encryption is much weaker than it appears to be. Skype added a backdoor so that the encrypted communication can be broken. It is hard to believe that those companies do this on their own. Most likely they are being pressured to do so (or paid).

“There was a time when software companies had to limit their key strength.” No, not precisely, it was for export only. And those rules have been curtailed to only cover some very narrow categories.

I don’t understand the meaning of the sentence “Promotion of weak encryption can and probably also is being enforced.” Read literally it means that you think someone is going around enforcing that people promote weak encryption, which isn’t observed. Maybe you meant something like “They could and probably are enforcing that people use weak encryption.”? The thing is, that isn’t true. We have strong evidence that they promoted adoption of that weak ECC standard. But you can use whatever you want, and people have done so and continue to do so without being arrested, so I think the claim that they could be and probably are enforcing use of weak encryption is empirically false. “Promoting”, yes. “Enforcing”, no. “Enforcing” “promotion”, what does that even mean.

What we know has been done is so bad that I don’t see the need to exaggerate it for emphasis and spread the (false) meme that all encryption is worthless. Doesn’t it seem just as “probable” to you that “they” want that meme spread around?

Nevertheless it shows how weak cryptography can simply be legislated just like the clipper chip. And they can also simply coerce companies to modify their protocols so that they can listen in which apparently they have done in many cases.

None of which is universal or even nearly so.

Neighter would have been the clipper chip. Only within the country. You would just have to buy the phone from somewhere else where such chip is not mandatory. Same situation with compromised cryptographic protocols.

We have strong evidence that they promoted adoption of that weak ECC standard

I never heard that anyone was promoting ECC yet alone seen it in practice anywhere. All cryptography systems I am aware of, use either AES, RSA or a combination of both. And you don’t even need weak standards to listen in. Just compel some major players in the business to implement weak random number generators and voilá you can still be compliant to the best and most secure cryptographic protocol and listen in.

The specifics of the defeated clipper chip proposal are irrelevant to my general point, which is that deciding not to do X does not make Y illegal when Y and X are similar. It just doesn’t work that way. Never has, never will, and isn’t a good idea even if there was a variant of it you could make practical. FISA and the Posse Comitatus Act are the places to look for examples of previous laws that this action might violate, not making up out of whole cloth an ad hoc “principle” that the executive branch can’t do something if congress once decided not to do something similar.

The ECC constant choices they influenced weren’t the entire thing, just one part of it, AIUI.